How to: Create a Security Token Service

03/30/20175 Minuten LesedauerBeitragende

In diesem Artikel

A security token service implements the protocol defined in the WS-Trust specification. This protocol defines message formats and message exchange patterns for issuing, renewing, canceling, and validating security tokens. A given security token service provides one or more of these capabilities. This topic looks at the most common scenario: implementing token issuance.

Scope information that indicates the target service that the issued token will be used with.

The security token service uses the information in the issue request message when it constructs the Issue Response message.

Response Message Structure

The issue response message structure typically consists of the following items;

The issued security token, for example, a SAML 1.1 assertion.

A proof token associated with the security token. For symmetric keys, this is often an encrypted form of the key material.

References to the issued security token. Typically, the security token service returns a reference that can be used when the issued token appears in a subsequent message sent by the client and another that can be used when the token is not present in subsequent messages.

In addition, a couple of other items might be present:

Key material provided by the security token service.

The algorithm needed to compute the shared key.

Lifetime information for the issued token.

Processing Request Messages

The security token service processes the issue request by examining the various pieces of the request message and ensuring that it can issue a token that satisfies the request. The security token service must determine the following before it constructs the token to be issued:

The request really is a request for a token to be issued.

The security token service supports the requested token type.

The requester is authorized to make the request.

The security token service can meet the requester's expectations with respect to key material.

Two vital parts of constructing a token are determining what key to sign the token with and what key to encrypt the shared key with. The token needs to be signed so that when the client presents the token to the target service, that service can determine that the token was issued by a security token service that it trusts. The key material needs to be encrypted in such a way that the target service can decrypt that key material.

Signing a SAML assertion involves creating a SigningCredentials instance. The constructor for this class takes the following:

Encrypting the shared key involves taking the key material and encrypting it with a key that the target service can use to decrypt the shared key. Typically, the public key of the target service is used.

Creating Response Messages

Once the security token service processes the issue request and constructs the token to be issued along with the proof key, the response message needs to be constructed, including at least the requested token, the proof token, and the issued token references. The issued token is typically a SamlSecurityToken created from the SamlAssertion, as shown in the following example.